rename completed tasks, hook to claude memory changs

This commit is contained in:
Dobromir Popov
2026-07-13 14:14:37 +02:00
parent e8ef2fd222
commit 09af5c47f8
21 changed files with 64 additions and 37 deletions

View File

@@ -0,0 +1,46 @@
Status: done
# 02 — A2: Unified auth boundary for privileged and financial reads
## What to build
Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints. This is the auth foundation issue; issue 01 should only apply hive auth to gossip endpoints once the helper exists.
**Code refs:**
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_forfeit` (~24292464) — H3: non-empty `Authorization` only
- `packages/tracker/meshnet_tracker/server.py``_handle_benchmark_hop_penalty` (~26502658), `_handle_benchmark_results` (~27452748) — H3
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_summary` (~23662371) — H4
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_settlements` (~24072412) — H4
- `packages/tracker/meshnet_tracker/server.py``_handle_registry_wallets` (~23912405) — H4
- `packages/tracker/meshnet_tracker/server.py``_session_account` (~2468+), `_handle_admin_accounts` (~25882608) — H4
- `packages/tracker/meshnet_tracker/accounts.py``session_account()`, `create_session()` only (session store; not handler wiring)
Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Include the validator service token shape from `20-validator-service-token_completed.md` in the same implementation if practical.
## Test-first
1. Red: POST `/v1/billing/forfeit` with `Authorization: Bearer garbage` succeeds today — must require validator/admin identity.
2. Red: GET `/v1/billing/summary` without admin session returns 401/403.
3. Green: middleware + role checks; existing inference API-key path unchanged.
## Acceptance criteria
- [ ] Single `_require_auth(role=...)` (or equivalent) used by all privileged handlers
- [ ] Shared auth config supports admin sessions, validator service token, and hive peer HMAC/mTLS
- [ ] Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings
- [ ] Financial read endpoints require admin session (alpha posture)
- [ ] Benchmark write/read require admin or service token
- [ ] Integration tests for each endpoint class (reject unauth, accept valid)
## ADR links
- [ADR-0017](../../docs/adr/0017-tracker-authentication-and-authorization.md)
## Related
- `20-validator-service-token_completed.md` — checklist for validator service token format, rotation, forfeit auth
## Blocked by
None. This issue should land before `01-c1-gossip-auth_completed.md`.